Regulating internet surveillance

RIPA is dead, long live the IPA? As the so-called Snooper’s Charter comes into force, Tom Hickman examines the two regimes, recent case law and checks and balances on the state’s new bulk digital surveillance powers

If your life is anything like mine, you will spend most of every working day connected to the internet. Quite apart from the time spent on your work desktop, home laptop or tablet, the telephone in your pocket will be connecting to the internet throughout the day. You will spend a good portion of your commute online, catching up on the news or listening to podcasts. You probably communicate with friends, relatives and others over email, internet messaging apps or on social media. You will use the internet for banking and investing transactions, booking travel and entertainment; and increasingly, all these things are done from apps on a mobile device. Your car may be connecting to the internet as you drive, and if you are a little more tech savvy (certainly, more than me) even your house may be connected to an app on your phone allowing you to do everything from controlling the security system to adjusting the heating (the so-called Internet of Things).

If all of this information could be collected and aggregated it would enable an enormously revealing picture to be built up of your lifestyle, movements, associates, habits and preferences. Indeed, this would be the case even if the data collected excluded the content of emails and messages. As the Grand Chamber of the Court of Justice recognised in a recent case, the aggregation of ‘communications data’ enables the state to create ‘a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications’ (C293/12, C594/12).

The law regulating access to internet data is about to change fundamentally as the Investigatory Powers Act 2016 (IPA) is progressively implemented over the coming months. It replaces the Regulation of Investigatory Powers Act 2000 (RIPA). It will bring into force what is probably the world’s most comprehensive regime for controlling state access to telephony and internet data.

That is not to say that the IPA is necessarily adequate from a privacy perspective. It sharply divides opinion on this issue. Liberty, for instance, criticises the Act as the ‘most intrusive mass surveillance regime ever introduced in a democracy’, in particular its entrenchment of so-called ‘bulk’ surveillance powers.

The RIPA regime

It was the Snowden leaks that awoke civil society to the extent of modern state surveillance powers and the extent to which old laws were creaking under the strain of regulating them. It is worth casting one’s mind back to how things were in 2000 when the Regulation of Investigatory Powers Bill was introduced to Parliament. Mark Zuckerberg was only 15 years old. His college start-up was not even a twinkle in his eye, let alone the social media behemoth it is today. Google was in relative infancy: it had been launched less than two years before from a garage in California and was breaking onto the scene. We were years away from the use of the internet to communicate via mobile phones, from instant messaging apps and from social media. The first mobile tablet, the iPad, would not be launched for another ten years. The internet was a very different place in 2000, accessed in a much more limited way and for limited purposes, probably at the time mainly for work-based email.

On its face, RIPA did not have very much if anything to say about the internet. But accessing the internet is captured by the definition of communications in the Act. In evidence to the Investigatory Powers Tribunal in 2014, in a claim brought on the back of the Snowden leaks, the government explained how RIPA applies in the modern age (IPT 14/85/CH 14/120-126/CH). It was explained that, in addition to targeted interception, the government intercepts large quantities of internet communications that are passing along fibre optic cables between the UK and other countries. This is not a process of interception that can be targeted on particular individuals.

The amount of data presumably intercepted in this way is unimaginably huge. Indeed, because of the geographical location of the UK (between Europe and the USA) and the vast network of submarine cables which run from the British Islands, the UK has privileged access to global internet communications.

The government’s evidence went on to highlight how the nature of modern internet usage means that a great deal of internet communication by people in the UK, even when interacting with other people in the UK, will be collected by this form of interception. Placing a message on a Facebook page or sending a tweet constitutes a communication not with the recipient of such messages, but with the internet platform often based in the USA. Similarly, a Google search represents a communication with Google often in the USA. Emails and other messages are frequently routed out of the UK and therefore can be picked up by this form of ‘bulk’ collection even if they are emails sent to a person in the office next door.

Whilst the possibility of capturing UK to UK communications through intercepting submarine cables was appreciated at the time RIPA was enacted, the transformation in internet usage has correspondingly transformed the significance and intrusiveness of this power. The chief protection in RIPA on the examination of material captured in this way applies only to the content of communications and not ‘communications data’, which as explained at the outset of this article can be extremely revealing.

There have also been other surprises, such as the fact that a little-known provision of the Telecommunications Act 1984 has been used by GCHQ to obtain communications data in bulk from telecommunications companies, despite the fact that the provision says nothing about the subject. A challenge is pending in the Investigatory Powers Tribunal.

"The Snowden leaks awoke civil society to the extent of modern state surveillance powers and the extent to which old laws were creaking under the strain of regulating them"

David Anderson QC’s review of the RIPA regime concluded that it was ‘obscure’ and ‘incomprehensible to all but a tiny band of initiates’. He pointed out that a multitude of alternative powers, some of them without statutory safeguards, confused the picture further. The position was ‘undemocratic, unnecessary and – in the long run – intolerable’.

The IPA regime

The IPA sets out for the first time a detailed code to regulate covert access and use of internet and telephony data. This includes a suite of ‘bulk’ powers, including bulk interception and bulk communications data acquisition powers. Critics of the IPA are right to point out that Parliament did nothing to curb the surveillance powers of police and intelligence agencies, and in some respects extended them.

The price of the renewed democratic licence to operate the covert powers set out in the Act was the introduction of judicial approval of warrants. Generally speaking, warrants are required for intercepting the content of communications or for equipment interference (computer hacking). At present, warrants are issued by Secretaries of State. Under the IPA, a warrant cannot be issued by the Secretary of State unless it has been approved by a Judicial Commissioner (JC). JCs are required by the Act to review the necessity and proportionality of the warrant. This represents a fundamental constitutional change, the effect of which will probably not be fully apparent for several years.

Fifteen JCs have been appointed, under the overall authority of Lord Justice Fulford, who holds the new post of Investigatory Powers Commissioner. Each of the JCs holds or has held high judicial office and they are drawn from each country in the UK.

The Investigatory Powers Commissioner has recently published his first ‘Advisory Notice’, which aims to bring some transparency and clarity to the role that JCs will perform in approving warrants. One of the issues the notice addresses is what the Commissioner makes of the injunction in the IPA that JCs should apply the same approach as would be applied in a ‘judicial review’. This issue attracted a great deal of debate during the passage of the Bill with many taking the view that the JCs would be restricted to applying Wednesbury review. Those suggestions have been scotched by the Advisory Notice.

The notice explains that in cases engaging fundamental rights UK courts ask themselves in judicial review proceedings whether a measure is necessary and proportionate, not whether the Secretary of State’s view that the measure is proportionate is a rational view to hold. Therefore, ‘the Judicial Commissioners will not… approach their task by asking whether a Secretary of State’s decision that a warrant is necessary and proportionate is Wednesbury reasonable, as this would not provide the requisite independent safeguard’.

One inadequacy in the IPA has already been exposed. It relates to the power for public authorities to issue notices to obtain communications data, ie non-content data. This power does not require a warrant.

Following a ruling of the Grand Chamber of the CJEU, the Court of Appeal ruled in January this year in the Tom Watson case that the absence of independent approval of such notices is contrary to EU law (SSHD v Watson & Ors [2018] EWCA Civ 70). The government intends to amend the IPA to introduce a requirement of approval by independent officials who will be under the authority of the Investigatory Powers Commissioner.

This episode is reflective of the fact that the law in this field, in the UK and abroad, has historically drawn a sharp distinction between content and non-content data, giving heightened protection to the former. But as explained at the outset of this article, the relevance of that distinction from the perspective of individual privacy has been greatly eroded by technological and societal changes.

Safeguards yet to be tested

We have come a long way since RIPA was enacted. But the journey is by no means over. The IPA sets out the skeleton for the regime of judicial oversight and approval of covert surveillance powers but how that regime operates in practice will depend to a large degree on how the Investigatory Powers Commissioner and the JCs exercise their considerable powers.

Contributor Tom Hickman is a barrister at Blackstone Chambers and Standing Counsel to the Investigatory Powers Commissioner

Regulating internet surveillance

If your life is anything like mine, you will spend most of every working day connected to the internet. Quite apart from the time spent on your work desktop, home laptop or tablet, the telephone in your pocket will be connecting to the internet throughout the day. You will spend a good portion of your commute online, catching up on the news or listening to podcasts. You probably communicate with friends, relatives and others over email, internet messaging apps or on social media. You will use the internet for banking and investing transactions, booking travel and entertainment; and increasingly, all these things are done from apps on a mobile device. Your car may be connecting to the internet as you drive, and if you are a little more tech savvy (certainly, more than me) even your house may be connected to an app on your phone allowing you to do everything from controlling the security system to adjusting the heating (the so-called Internet of Things).

If all of this information could be collected and aggregated it would enable an enormously revealing picture to be built up of your lifestyle, movements, associates, habits and preferences. Indeed, this would be the case even if the data collected excluded the content of emails and messages. As the Grand Chamber of the Court of Justice recognised in a recent case, the aggregation of ‘communications data’ enables the state to create ‘a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications’ (C293/12, C594/12).

The law regulating access to internet data is about to change fundamentally as the Investigatory Powers Act 2016 (IPA) is progressively implemented over the coming months. It replaces the Regulation of Investigatory Powers Act 2000 (RIPA). It will bring into force what is probably the world’s most comprehensive regime for controlling state access to telephony and internet data.

That is not to say that the IPA is necessarily adequate from a privacy perspective. It sharply divides opinion on this issue. Liberty, for instance, criticises the Act as the ‘most intrusive mass surveillance regime ever introduced in a democracy’, in particular its entrenchment of so-called ‘bulk’ surveillance powers.

The RIPA regime

It was the Snowden leaks that awoke civil society to the extent of modern state surveillance powers and the extent to which old laws were creaking under the strain of regulating them. It is worth casting one’s mind back to how things were in 2000 when the Regulation of Investigatory Powers Bill was introduced to Parliament. Mark Zuckerberg was only 15 years old. His college start-up was not even a twinkle in his eye, let alone the social media behemoth it is today. Google was in relative infancy: it had been launched less than two years before from a garage in California and was breaking onto the scene. We were years away from the use of the internet to communicate via mobile phones, from instant messaging apps and from social media. The first mobile tablet, the iPad, would not be launched for another ten years. The internet was a very different place in 2000, accessed in a much more limited way and for limited purposes, probably at the time mainly for work-based email.

On its face, RIPA did not have very much if anything to say about the internet. But accessing the internet is captured by the definition of communications in the Act. In evidence to the Investigatory Powers Tribunal in 2014, in a claim brought on the back of the Snowden leaks, the government explained how RIPA applies in the modern age (IPT 14/85/CH 14/120-126/CH). It was explained that, in addition to targeted interception, the government intercepts large quantities of internet communications that are passing along fibre optic cables between the UK and other countries. This is not a process of interception that can be targeted on particular individuals.

The amount of data presumably intercepted in this way is unimaginably huge. Indeed, because of the geographical location of the UK (between Europe and the USA) and the vast network of submarine cables which run from the British Islands, the UK has privileged access to global internet communications.

The government’s evidence went on to highlight how the nature of modern internet usage means that a great deal of internet communication by people in the UK, even when interacting with other people in the UK, will be collected by this form of interception. Placing a message on a Facebook page or sending a tweet constitutes a communication not with the recipient of such messages, but with the internet platform often based in the USA. Similarly, a Google search represents a communication with Google often in the USA. Emails and other messages are frequently routed out of the UK and therefore can be picked up by this form of ‘bulk’ collection even if they are emails sent to a person in the office next door.

Whilst the possibility of capturing UK to UK communications through intercepting submarine cables was appreciated at the time RIPA was enacted, the transformation in internet usage has correspondingly transformed the significance and intrusiveness of this power. The chief protection in RIPA on the examination of material captured in this way applies only to the content of communications and not ‘communications data’, which as explained at the outset of this article can be extremely revealing.

There have also been other surprises, such as the fact that a little-known provision of the Telecommunications Act 1984 has been used by GCHQ to obtain communications data in bulk from telecommunications companies, despite the fact that the provision says nothing about the subject. A challenge is pending in the Investigatory Powers Tribunal.

"The Snowden leaks awoke civil society to the extent of modern state surveillance powers and the extent to which old laws were creaking under the strain of regulating them"

David Anderson QC’s review of the RIPA regime concluded that it was ‘obscure’ and ‘incomprehensible to all but a tiny band of initiates’. He pointed out that a multitude of alternative powers, some of them without statutory safeguards, confused the picture further. The position was ‘undemocratic, unnecessary and – in the long run – intolerable’.

The IPA regime

The IPA sets out for the first time a detailed code to regulate covert access and use of internet and telephony data. This includes a suite of ‘bulk’ powers, including bulk interception and bulk communications data acquisition powers. Critics of the IPA are right to point out that Parliament did nothing to curb the surveillance powers of police and intelligence agencies, and in some respects extended them.

The price of the renewed democratic licence to operate the covert powers set out in the Act was the introduction of judicial approval of warrants. Generally speaking, warrants are required for intercepting the content of communications or for equipment interference (computer hacking). At present, warrants are issued by Secretaries of State. Under the IPA, a warrant cannot be issued by the Secretary of State unless it has been approved by a Judicial Commissioner (JC). JCs are required by the Act to review the necessity and proportionality of the warrant. This represents a fundamental constitutional change, the effect of which will probably not be fully apparent for several years.

Fifteen JCs have been appointed, under the overall authority of Lord Justice Fulford, who holds the new post of Investigatory Powers Commissioner. Each of the JCs holds or has held high judicial office and they are drawn from each country in the UK.

The Investigatory Powers Commissioner has recently published his first ‘Advisory Notice’, which aims to bring some transparency and clarity to the role that JCs will perform in approving warrants. One of the issues the notice addresses is what the Commissioner makes of the injunction in the IPA that JCs should apply the same approach as would be applied in a ‘judicial review’. This issue attracted a great deal of debate during the passage of the Bill with many taking the view that the JCs would be restricted to applying Wednesbury review. Those suggestions have been scotched by the Advisory Notice.

The notice explains that in cases engaging fundamental rights UK courts ask themselves in judicial review proceedings whether a measure is necessary and proportionate, not whether the Secretary of State’s view that the measure is proportionate is a rational view to hold. Therefore, ‘the Judicial Commissioners will not… approach their task by asking whether a Secretary of State’s decision that a warrant is necessary and proportionate is Wednesbury reasonable, as this would not provide the requisite independent safeguard’.

One inadequacy in the IPA has already been exposed. It relates to the power for public authorities to issue notices to obtain communications data, ie non-content data. This power does not require a warrant.

Following a ruling of the Grand Chamber of the CJEU, the Court of Appeal ruled in January this year in the Tom Watson case that the absence of independent approval of such notices is contrary to EU law (SSHD v Watson & Ors [2018] EWCA Civ 70). The government intends to amend the IPA to introduce a requirement of approval by independent officials who will be under the authority of the Investigatory Powers Commissioner.

This episode is reflective of the fact that the law in this field, in the UK and abroad, has historically drawn a sharp distinction between content and non-content data, giving heightened protection to the former. But as explained at the outset of this article, the relevance of that distinction from the perspective of individual privacy has been greatly eroded by technological and societal changes.

Safeguards yet to be tested

We have come a long way since RIPA was enacted. But the journey is by no means over. The IPA sets out the skeleton for the regime of judicial oversight and approval of covert surveillance powers but how that regime operates in practice will depend to a large degree on how the Investigatory Powers Commissioner and the JCs exercise their considerable powers.

Contributor Tom Hickman is a barrister at Blackstone Chambers and Standing Counsel to the Investigatory Powers Commissioner

RIPA is dead, long live the IPA? As the so-called Snooper’s Charter comes into force, Tom Hickman examines the two regimes, recent case law and checks and balances on the state’s new bulk digital surveillance powers